tomcat-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject [SECURITY] CVE-2021-30639 Apache Tomcat DoS
Date Mon, 12 Jul 2021 13:03:15 GMT
CVE-2021-30639 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.3 to 10.0.4
Apache Tomcat 9.0.44
Apache Tomcat 8.5.64

An error introduced as part of a change to improve error handling during 
non-blocking I/O meant that the error flag associated with the Request 
object was not reset between requests. This meant that once a 
non-blocking I/O error occurred, all future requests handled by that 
request object would fail. Users were able to trigger non-blocking I/O 
errors, e.g. by dropping a connection, thereby creating the possibility 
of triggering a DoS.
Applications that do not use non-blocking I/O are not exposed to this 

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 10.0.5 or later
- Upgrade to Apache Tomcat 9.0.45 or later
- Upgrade to Apache Tomcat 8.5.65 or later

2021-07-12 Original advisory


View raw message